The Iranian opposition coordinated a cyber attack yesterday that has successfully managed to disrupt access to major pro-Ahmadinejad Iranian web sites

The Iranian opposition coordinated a cyber attack yesterday that has successfully managed to disrupt access to major pro-Ahmadinejad Iranian web sites, including the President’s homepage which continues returning a “The maximum number of user reached, Server is too busy, please try again later…” message.

Through a combination of DIY (do it yourself) denial of service attack tools (DDoS), multiple iFrame loading scripts, public web page “refresher” tool, and a much more effective PHP script, the participants have already prompted some of the major Iranian outlets to switch to “lite” versions of their sites in an attempt to mitigate the attack.

The campaign appears to have been organized through Twitter, which despite public reports that the site has been banned in Iran, appears to be still accessible through a a persistent supply of proxy servers on behalf of the opposition.

Moreover, the ongoing distributed denial of service attacks, are using techniques which greatly resemble those used in last year’s Russia vs Georgia cyber attack, and the ones Chinese hacktivists used back in 2008 in order to temporarily shut down CNN, with a single exception - there’s no indication of a botnet involvement in the present attack.

Instead, the attack relies on the so called people’s information warfare concept, which is the self-mobilization of individuals, or their recruitment based on political/nationalistic sentiments by a third-party, for conducting various hacktivism activities such as web site defacements, or launching distributed denial of service attacks.

The following are some of the sites that are currently under attack, remain totally unresponsive, or return “server is too busy” error messages:

Ahmadinejad.ir - Mahmoud Ahmadinejad’s Official Blog - under attackLeader.ir - Office of the Supreme Leader, Sayyid Ali Khamenei - under attackPresident.ir - Presidency of The Islamic Republic - under attackFarsnnews.com - Fars News Agency - under attackIrib.ir - Islamic Republic of Iran Broadcasting - under attackKayhannews.ir - News Portal - “Service Unavailable”Irna.ir - Islamic Republic News Agency - “service unavailable”Mfa.gov.ir - Ministry of foreign affairs , Islamic Republic of Iran - under attackMoi.ir - Ministry of Interior - under attackPolice.ir - National Police - under attackJustice.ir - Ministry of Justice - under attackPresstv.ir - Iranian Press TV - “server is too busy”

Among the first web-based denial of service attack used, is a tool called “Page Rebooter” which is basically allowing everyone to set an interval for refreshing a particular page, in this case it’s 1 second. Pre-defined links to the targeted sites were then distributed across Twitter and the Web, through messages link the following :

“Please spread word about a cyber effort to exert pressure on the paramilitary in Iran. They have launched denial of service attacks on US websites that are run by live bloggers feeding us up to the minute information about what is going on in Iran on the ground. To fight back, open these two URLs in as many tabs/windows as possible and simply leave your computer running overnight! We must show solidarity with them in their quest for freedom! The 2nd link targets PressTV, the mouthpiece of Ahmadinejad and Khamenei.”

The second stage of the campaign consisted in the distribution of a multiple iFrame loading script which was automatically refreshing farsnews.com, irna.ir and rajanews.com. The script has since changed its location and is advertised under a new domain.

The third stage included a combined attack, this time including DIY (do-it-yourself) denial of service tools (DDoS), which despite their primitive nature are indeed causing server overload for their targets. Each of the tools is distributed with a simple manual, including links to large images at the targeted web sites, one which the software using proxies will attempt to obtain automatically.

The tools themselves, BWRaeper.exe (detected as Worm.AutoIt.AA); PingFlooder.exe (flagged as banker malware); Server_Attack_By-_C-4.exe (Riskware.ServerAttack.F) and SupportIran.php, have already been picked up by antivirus vendors. The last tool is a basic PHP script targeting those running a server that supports PHP in order to use it.

SupportIran.php has also been released as an improved version to the multiple iFrame loader, and is currently used in the attack as well, having the following sites pre-defined to attack simultaneously - khamenei.ir; presstv.ir; irna.ir; president.ir; mfa.gov.ir; moi.ir; police.ir; justice.ir; live.irib.ir.

There have already been speculations that the magnitude of these local attacks — Iranian users targeting Iranian web sites – is contributing to the “strange changes in Iranian traffic transit” reported during the last couple of days. The attacks are still ongoing.

Credit: ZDNet.com Security Blogs

Source: Cyber Insecure